CWE-284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor....

Verified by Precogs Threat Research
BASE SCORE
7.5 CRITICAL

Precogs AI Insight

"Precogs AI identifies broken access control patterns including IDOR, missing authorization checks, and horizontal privilege escalation."

EXPLOIT PROBABILITYHigh
PUBLIC POCAvailable

What is CWE-284 (Improper Access Control)?

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Vulnerability Insights

Improper Access Control (CWE-284) represents a significant security risk across modern software systems. This weakness enables attackers to exploit access control flaws in applications, potentially leading to unauthorized access, data exfiltration, or remote code execution. Organizations must implement defense-in-depth strategies combining static analysis, runtime monitoring, and binary analysis to detect and mitigate these vulnerabilities.

Impact on Systems

  • Horizontal Privilege Escalation: Accessing other users' resources
  • Vertical Privilege Escalation: Gaining administrative capabilities

Real-World Attack Scenario

The attacker logs in as a standard user and intercepts the HTTP traffic. They observe that object identifiers (like user IDs or document IDs) are passed sequentially. By incrementing or modifying the ID in subsequent requests, they access resources belonging to other users or administrators because the server fails to verify authorization context.

Code Examples

Vulnerable Implementation

// VULNERABLE: Object-level access check missing
function getProfile(userId) {
    return db.find(userId);
}

Secure Alternative

// SECURE: Verifies caller owns the object
function getProfile(userId, activeSession) {
    if (activeSession.id !== userId && !activeSession.isAdmin) throw "Unauthorized";
    return db.find(userId);
}

Detection with Precogs AI

Precogs AI identifies broken access control patterns including IDOR, missing authorization checks, and horizontal privilege escalation. Our binary analysis engine examines compiled artifacts without requiring source code access, identifying CWE-284 patterns in vendor software, containers, firmware, and third-party libraries.

Remediation

Implement proper access control controls following secure coding guidelines. Use automated scanning tools like Precogs AI to continuously monitor for CWE-284 vulnerabilities across your software supply chain. Apply the principle of least privilege and validate all inputs from untrusted sources.

CVEs Classified Under CWE-28425 vulnerabilities

The following CVEs have been classified under CWE-284 (Improper Access Control). Each CVE represents a specific vulnerability instance of this weakness type.

CVE-2026-32938SiYuan is a personal knowledge management system
CVSS 9.9CRITICALMar 20, 2026
CVE-2026-32038OpenClaw before 2026
CVSS 9.8CRITICALMar 19, 2026
CVE-2026-21994Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop)
CVSS 9.8CRITICALMar 17, 2026
CVE-2025-59434[Flowise] Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function
CVSS 9.5CRITICALSep 12, 2025
CVE-2026-32693In Juju from version 3
CVSS 8.8HIGHMar 18, 2026
CVE-2026-30707An issue was discovered in SpeedExam Online Examination System (SaaS) after v
CVSS 8.1HIGHMar 17, 2026
CVE-2025-41258LibreChat version 0
CVSS 8HIGHMar 18, 2026
CVE-2025-43862[dify] Unauthorized Access and Modification of APP Orchestration
CVSS 8HIGHApr 25, 2025
CVE-2026-4221A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7
CVSS 7.3HIGHMar 16, 2026
CVE-2026-4220A vulnerability has been found in Technologies Integrated Management Platform 7
CVSS 7.3HIGHMar 16, 2026
CVE-2026-4201A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393
CVSS 7.3HIGHMar 16, 2026
CVE-2026-4193A security vulnerability has been detected in D-Link DIR-823G 1
CVSS 7.3HIGHMar 16, 2026
CVE-2026-4191A flaw has been found in JawherKl node-api-postgres up to 2
CVSS 7.3HIGHMar 16, 2026
CVE-2026-4180A vulnerability was identified in D-Link DIR-816 1
CVSS 7.3HIGHMar 16, 2026
CVE-2026-32254Kube-router is a turnkey solution for Kubernetes networking
CVSS 7.1HIGHMar 18, 2026
CVE-2026-32761File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory
CVSS 6.5MEDIUMMar 20, 2026
CVE-2026-4505A vulnerability has been found in eosphoros-ai DB-GPT up to 0
CVSS 6.3MEDIUMMar 20, 2026
CVE-2025-59422[dify] Broken Access Control on Log Message Endpoint Allows Reading Chats of Others
CVSS 5.5MEDIUMSep 24, 2025
CVE-2025-32795[dify] Insecure User Role Access Control for APP Editing
CVSS 5.5MEDIUMApr 18, 2025
CVE-2025-32796[dify] Unauthorized APP Enable/Disable via API
CVSS 5.5MEDIUMApr 18, 2025
CVE-2025-32790[dify] Insecure User Role Access Control for APP DSL Exporting
CVSS 5.5MEDIUMApr 17, 2025
CVE-2024-24566[lobe-chat] Unauthorized access to chat plugins
CVSS 5.5MEDIUMJan 31, 2024
CVE-2026-33393Discourse is an open-source discussion platform
CVSS 4.3MEDIUMMar 19, 2026
CVE-2026-23522[lobe-chat] IDOR in Knowledge Base File Removal Allows Cross User File Deletion
CVSS 3LOWJan 19, 2026
CVE-2025-31494[AutoGPT] Cross-user sharing of node execution results through WebSockets API
CVSS 3LOWApr 11, 2025

Supplemental Intelligence & References

📋 OWASP Top 10

📖 Security Guides

🔗 External References